OWASP Newsletter #5 (20 Feb-07)

Hello, due to hyper busy schedule this edition of the OWASP newsletter is delivered a little bit later than normal (thx Mike for helping out).

As always, if you have any content to add to the next edtion, feel free to add it directly to its WIKI page (OWASP Newsletter 6).

Finally, if you are a regular contributor you will notice a couple changes on the WIKI (for example the location of the EDIT button), this is due to the recent upgrade to the latest version of MediaWiki.

Dinis Cruz

Chief OWASP Evangelist

Featured Item: OWASP Conference Europe, Italy, Milan, May 16th-17th

OWASP is soliciting both experiential and research papers for this conference as we did last year for the OWASP AppSec 2006 conference in Belgium, so if you want to do a presentation see the Call For Papers.

Featured Project: OWASP Tiger

Another AoC project, OWASP Tiger is a new tool created from the ashes of the ASP.NET tools/PoC created by Dinis Cruz (see [OWASP Autumn of Code 2006 - Projects: Owasp .Net Tools] for more details).

OWASP Tiger is a Windows application originally intented to be used for automating the process of testing variuous known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce alerts, notifications that something is wrong with the application(s) or service(s) being tested.

Application Security News

"The man responsible for unleashing what is believed to be the first self-propagating cross-site scripting worm has pleaded guilty in Los Angeles Superior Court to charges stemming from his most infamous hacking."

Feb 05 - Why You're Organization Must Increase It's Web Application Security Budget - "The Web application security threat is a real one. A failure to respond to this threat will result in real risk to any enterprise that stores financial or customer data. While the problem is a serious one, it is not something that cannot be fixed so long as proper attention and budget are allocated to it. Unfortunately, given the unique nature of the problem and its impact on the budgetary process, it will likely require direct intervention by the financial staff."

Feb 05 - X-Force Notes Increase in Vulnerabilities. Where are the "X-Men" to fix them?- " According to the report, which was developed by the IBM Internet Security Systems (ISS) X-Force(R) research and development team, there were 7,247 new vulnerabilities recorded and analyzed by the X-Force in 2006, which equates to an average of 20 new vulnerabilities per day. This total represents a nearly 40 percent increase over what ISS reported in 2005. Over 88 percent of 2006 vulnerabilities could be exploited remotely, and over 50 percent allowed attackers to gain access to a machine after exploitation. "

Feb 05 - Rubin Smacks Diebold Once Again- "Given what I've seen about voting system standards and voting system testing labs, I would bet money that the parking garage system at Baltimore Penn Station was tested more extensively before it was deployed than the Diebold voting machines that we use in Maryland."